feat(audit): add pricing signature guards and reporting

Add snapshot, signature, and drift guard support for Vertex AI, Cloudflare Workers AI, and Perplexity API, backed by a queryable audit table and recent-window view. This commit also wires the audit query layer into daily signal materialization and report generation so structure drift becomes a first-class signal instead of a log-only artifact.
2026-05-15 22:34:22 +08:00
parent 958245537a
commit 256975e10c
46 changed files with 5822 additions and 34 deletions
--- a/scripts/cloudflare_pricing_signature_guard_lib.go
+++ b/scripts/cloudflare_pricing_signature_guard_lib.go
@@ -0,0 +1,136 @@
+//go:build llm_script
+
+package main
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+	"time"
+)
+
+type cloudflarePricingSignatureGuardConfig struct {
+	URL            string
+	Fixture        string
+	SnapshotDir    string
+	BaselinePath   string
+	Timeout        time.Duration
+	AllowBootstrap bool
+}
+
+type cloudflarePricingSignatureGuardResult struct {
+	SnapshotPath         string
+	SignaturePath        string
+	BaselinePath         string
+	DriftDetected        bool
+	BaselineInitialized  bool
+	PreviousBaselineHash string
+	CurrentSignature     markdownPricingStructureSignature
+}
+
+func runCloudflarePricingSignatureGuard(cfg cloudflarePricingSignatureGuardConfig, now time.Time) (cloudflarePricingSignatureGuardResult, error) {
+	snapshotDir := cfg.SnapshotDir
+	if snapshotDir == "" {
+		snapshotDir = filepath.Join("logs", "cloudflare-pricing-snapshots")
+	}
+	if err := os.MkdirAll(snapshotDir, 0o755); err != nil {
+		return cloudflarePricingSignatureGuardResult{}, fmt.Errorf("mkdir snapshot dir: %w", err)
+	}
+
+	snapshotPath, signaturePath := resolveCloudflarePricingSnapshotPaths("", "", snapshotDir, now)
+	baselinePath := cfg.BaselinePath
+	if baselinePath == "" {
+		baselinePath = filepath.Join(snapshotDir, "baseline.signature.json")
+	}
+
+	clientCfg := cloudflarePricingImportConfig{
+		URL:          cfg.URL,
+		Fixture:      cfg.Fixture,
+		DryRun:       true,
+		Timeout:      cfg.Timeout,
+		SnapshotOnly: true,
+		SnapshotOut:  snapshotPath,
+		SignatureOut: signaturePath,
+	}
+	if err := runCloudflarePricingImport(clientCfg, nil, ioDiscard{}); err != nil {
+		return cloudflarePricingSignatureGuardResult{}, err
+	}
+
+	current, err := readMarkdownPricingStructureSignature(signaturePath)
+	if err != nil {
+		return cloudflarePricingSignatureGuardResult{}, err
+	}
+	result := cloudflarePricingSignatureGuardResult{
+		SnapshotPath:     snapshotPath,
+		SignaturePath:    signaturePath,
+		BaselinePath:     baselinePath,
+		CurrentSignature: current,
+	}
+
+	previous, err := readMarkdownPricingStructureSignature(baselinePath)
+	if err != nil {
+		if os.IsNotExist(err) {
+			if !cfg.AllowBootstrap {
+				return result, fmt.Errorf("cloudflare pricing baseline missing: %s", baselinePath)
+			}
+			if err := copyFileCommon(signaturePath, baselinePath); err != nil {
+				return result, fmt.Errorf("initialize baseline: %w", err)
+			}
+			result.BaselineInitialized = true
+			return result, nil
+		}
+		return result, err
+	}
+
+	result.PreviousBaselineHash = previous.StructureSHA256
+	if previous.StructureSHA256 != current.StructureSHA256 {
+		result.DriftDetected = true
+		return result, fmt.Errorf(
+			"cloudflare pricing structure drift detected: baseline=%s current=%s baseline_path=%s signature_path=%s snapshot_path=%s",
+			previous.StructureSHA256, current.StructureSHA256, baselinePath, signaturePath, snapshotPath,
+		)
+	}
+	return result, nil
+}
+
+func formatCloudflarePricingSignatureGuardSummary(result cloudflarePricingSignatureGuardResult) string {
+	return fmt.Sprintf(
+		"source=cloudflare-pricing-signature-guard drift=%t baseline_initialized=%t structure_sha256=%s previous_baseline_sha256=%s snapshot_out=%s signature_out=%s baseline_path=%s",
+		result.DriftDetected,
+		result.BaselineInitialized,
+		result.CurrentSignature.StructureSHA256,
+		emptyIfBlank(result.PreviousBaselineHash),
+		result.SnapshotPath,
+		result.SignaturePath,
+		result.BaselinePath,
+	)
+}
+
+func buildCloudflarePricingSignatureAuditRecord(cfg cloudflarePricingSignatureGuardConfig, result cloudflarePricingSignatureGuardResult, checkedAt time.Time, runErr error) officialImportSignatureAuditRecord {
+	record := officialImportSignatureAuditRecord{
+		SourceKey:               "cloudflare_pricing_signature",
+		CheckedAt:               checkedAt,
+		Status:                  officialImportSignatureAuditStatus(result.DriftDetected, result.BaselineInitialized, runErr),
+		DriftDetected:           result.DriftDetected,
+		BaselineInitialized:     result.BaselineInitialized,
+		SourceURL:               strings.TrimSpace(cfg.URL),
+		FixturePath:             strings.TrimSpace(cfg.Fixture),
+		SnapshotPath:            strings.TrimSpace(result.SnapshotPath),
+		SignaturePath:           strings.TrimSpace(result.SignaturePath),
+		BaselinePath:            strings.TrimSpace(result.BaselinePath),
+		StructureSHA256:         strings.TrimSpace(result.CurrentSignature.StructureSHA256),
+		PreviousStructureSHA256: strings.TrimSpace(result.PreviousBaselineHash),
+		ByteSize:                result.CurrentSignature.ByteSize,
+		ErrorMessage:            errorMessageText(runErr),
+	}
+	if hasMarkdownPricingStructureSignature(result.CurrentSignature) {
+		signatureCopy := result.CurrentSignature
+		record.SignaturePayload = &signatureCopy
+	}
+	return record
+}
+
+func persistCloudflarePricingSignatureAuditIfConfigured(cfg cloudflarePricingSignatureGuardConfig, result cloudflarePricingSignatureGuardResult, checkedAt time.Time, runErr error) error {
+	return persistOfficialImportSignatureAuditIfConfigured(buildCloudflarePricingSignatureAuditRecord(cfg, result, checkedAt, runErr))
+}